research-article

A model of the spread of randomly scanning Internet worms that saturate access links

Authors:

Milan VojnovićAuthors Info & Claims

ACM Transactions on Modeling and Computer Simulation (TOMACS), Volume 18, Issue 2

Article No.: 6, Pages 1 - 14

https://doi.org/10.1145/1346325.1346327

Published: 28 April 2008 Publication History

Get Access

Abstract

We present a simple, deterministic mathematical model for the spread of randomly scanning and bandwidth-saturating Internet worms. Such worms include Slammer and Witty, both of which spread extremely rapidly. Our model, consisting of coupled Kermack-McKendrick (a.k.a. stratified susceptibles-infectives (SI)) equations, captures both the measured scanning activity of the worm and the network limitation of its spread, that is, the effective scan-rate per worm/infective. The Internet is modeled as an ideal core network to which each peripheral (e.g., enterprise) network is connected via a single access link. It is further assumed in this note that as soon as a single end-system in the peripheral network is infected by the worm, the subsequent scanning of the rest of the Internet saturates the access link, that is, there is “instant” saturation. We fit our model to available data for the Slammer worm and demonstrate the model's ability to accurately represent Slammer's total scan-rate to the core.

References

[1]

Chen, Z., Gao, L., and Kwait, K. 2003. Modeling the spread of active worms. In Proceedings of IEEE INFOCOM (San Fransisco, CA).

Google Scholar

[2]

Cooke, E., Bailey, M., Mao, Z., Watson, D., Jahanian, F., and McPherson, D. 2004. Toward understanding distributed blackhole placement. In Proceedings of ACM WORM (Washington, DC).

Digital Library

Google Scholar

[3]

Daley, D. and Gani, J. 1999. Epidemic Modeling, an Introduction. Cambridge University Press, Cambridge, U.K.

Google Scholar

[4]

Kesidis, G., Hamadeh, I., and Jiwasurat, S. 2005. Coupled Kermack-McKendrick models for randomly scanning and bandwidth saturating Internet worms. In Proceedings of QoS-IP. Springer-Verlag, Berlin, Germany.

Digital Library

Google Scholar

[5]

Kurtz, T. 1981. Approximation of population processes. In Proceedings of the CBMS-NSF Regional Conference Series in Applied Mathematics. Vol. 36.

Crossref

Google Scholar

[6]

Li, L., Jiwasurat, S., Hamadeh, I., Kesidis, G., Neumann, C., and Liu, P. 2006. Emulating sequential scanning worms on the DETER testbed. In Proceedings of IEEE/Create-Net TridentCom. (Barcelona, Spain).

Google Scholar

[7]

Liljenstam, M., Nicol, D., Berk, V., and Gray, R. 2003. Simulating realistic network worm traffic for worm warning system design and testing. In Proceedings of ACM WORM (Washington, DC).

Digital Library

Google Scholar

[8]

Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003a. Inside the Slammer worm. IEEE Sec. Priv. 1, 4, 33--39.

Digital Library

Google Scholar

[9]

Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2003b. Internet quarantine: Requirements for containing self-propagating code. In Proceedings of IEEE INFOCOM. (San Francisco, CA).

Google Scholar

[10]

Staniford, S., Paxson, V., and Weaver, N. 2002. How to own the Internet in your spare time. In Proceedings of USENIX Security Symposium. 149--167.

Digital Library

Google Scholar

[11]

Weaver, N., Hamadeh, I., Kesidis, G., and Paxson, V. 2004a. Preliminary results using scale-down to explore worm dynamics. In Proceedings of ACM WORM (Washington, DC).

Digital Library

Google Scholar

[12]

Weaver, N., Staniford, S., and Paxson, V. 2004b. Very fast containment of scanning worms. In Proceedings of the 13th USENIX Security Symposium.

Digital Library

Google Scholar

[13]

Zou, C., Gong, W., and Towsley, D. 2002. Code Red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communication Security (CCS'02, Washington, DC).

Digital Library

Google Scholar

[14]

Zou, C., Gong, W., and Towsley, D. 2003. Worm propagation modeling and analysis under dynamic quarantine defense. In Proceedings of the ACM CCS Workshop on Rapid Malcode (WORM'03, Washington, DC).

Digital Library

Google Scholar

Cited By

View all

Huh JChoi JSeo K(2021)Smart Trash Bin Model Design and Future for Smart CityApplied Sciences10.3390/app1111481011:11(4810)Online publication date: 24-May-2021
https://doi.org/10.3390/app11114810
Huh J(2019)Reefer container monitoring system using PLC-based communication technology for maritime edge computingThe Journal of Supercomputing10.1007/s11227-019-02864-z76:7(5221-5243)Online publication date: 27-Apr-2019
https://dl.acm.org/doi/10.1007/s11227-019-02864-z
Liu BZhou WGao LZhou HLuan TWen S(2018)Malware Propagations in Wireless Ad Hoc NetworksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2016.264219115:6(1016-1026)Online publication date: 1-Nov-2018
https://doi.org/10.1109/TDSC.2016.2642191
Show More Cited By

Index Terms

A model of the spread of randomly scanning Internet worms that saturate access links
1. Computer systems organization
  1. Architectures
    1. Distributed architectures
2. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Distributed systems organizing principles

Recommendations

Search worms
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

Worms are becoming more virulent at the same time as operating system improvements try to contain them.Recent research demonstrates several effective methods to detect and prevent randomly scanning worms from spreading [2, 13]. As a result, worm authors ...
Defending against hitlist worms using network address space randomization
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms ...
Modeling the spread of internet worms via persistently unpatched hosts

This article considers the effects of Internet worms on persistently unpatched hosts and hosts for which vulnerabilities are refreshed. Previous models have been homogeneous; that is, all hosts transitioned through the same set of states. The model ...

Reviews

Reviewer: Cecilia G. Manrique

Internet worms are computer programs that are launched to infiltrate machines, and replicate themselves to infect other machines, often with code to make those machines crash or fail. This very interesting technical paper provides readers with the mathematical explanation for the spread of several known worms. The paper uses tables, graphs, figures, and mathematical equations to explain the simple mathematical model developed to show the spread of randomly scanning and bandwidth saturating worms, such as Slammer and Witty, which have been determined to spread extremely rapidly. The model uses coupled Kermack-McKendrick equations; it shows the impact that the worm would have on the core of the Internet, and applies the model to the Slammer worm, which the model seems to accurately represent. In the appendix, the authors provide the mathematical proof of the theorem. Their simulation code is also available online. The value of such studies lies in the ability to understand the spread of one of the major cyber threats to our dependence on the Internet: the use of viruses and worms to downgrade the value of technology. By constantly testing and expanding the explanations, as well as our understanding of such activities on the Internet, we may be better able to diagnose them, ward them off, and maybe even prevent their spread and impact on the many machines and users in the system-a true service to the accumulation of knowledge that has practical real-world applications. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Modeling and Computer Simulation

ACM Transactions on Modeling and Computer Simulation Volume 18, Issue 2

April 2008

97 pages

ISSN:1049-3301

EISSN:1558-1195

DOI:10.1145/1346325

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 April 2008

Accepted: 01 April 2006

Revised: 01 October 2005

Received: 01 December 2004

Published in TOMACS Volume 18, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

National Science Foundation

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
568
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)3

Reflects downloads up to 31 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Huh JChoi JSeo K(2021)Smart Trash Bin Model Design and Future for Smart CityApplied Sciences10.3390/app1111481011:11(4810)Online publication date: 24-May-2021
https://doi.org/10.3390/app11114810
Huh J(2019)Reefer container monitoring system using PLC-based communication technology for maritime edge computingThe Journal of Supercomputing10.1007/s11227-019-02864-z76:7(5221-5243)Online publication date: 27-Apr-2019
https://dl.acm.org/doi/10.1007/s11227-019-02864-z
Liu BZhou WGao LZhou HLuan TWen S(2018)Malware Propagations in Wireless Ad Hoc NetworksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2016.264219115:6(1016-1026)Online publication date: 1-Nov-2018
https://doi.org/10.1109/TDSC.2016.2642191
Chenyu Zheng Sicker D(2013)A Survey on Biologically Inspired Algorithms for Computer NetworkingIEEE Communications Surveys & Tutorials10.1109/SURV.2013.010413.0017515:3(1160-1191)Online publication date: Nov-2014
https://doi.org/10.1109/SURV.2013.010413.00175
Magkos EAvlonitis MKotzanikolaou PStefanidakis M(2013)Toward early warning against Internet worms based on critical-sized networksSecurity and Communication Networks10.1002/sec.5346:1(78-88)Online publication date: 1-Jan-2013
https://dl.acm.org/doi/10.1002/sec.534
Kesidis G(2010)An Introduction to Models of Online Peer-to-Peer Social NetworkingSynthesis Lectures on Communication Networks10.2200/S00313ED1V01Y201011CNT0083:1(1-125)Online publication date: Jan-2010
https://doi.org/10.2200/S00313ED1V01Y201011CNT008
Wu DTang CDhungel PSaxena NRoss K(2010)On the Privacy of Peer-Assisted Distribution of Security Patches2010 IEEE Tenth International Conference on Peer-to-Peer Computing (P2P)10.1109/P2P.2010.5569988(1-10)Online publication date: Aug-2010
https://doi.org/10.1109/P2P.2010.5569988
Wu DDhungel PHei XZhang CRoss K(2010)Understanding Peer Exchange in BitTorrent Systems2010 IEEE Tenth International Conference on Peer-to-Peer Computing (P2P)10.1109/P2P.2010.5569967(1-8)Online publication date: Aug-2010
https://doi.org/10.1109/P2P.2010.5569967
Dressler FAkan O(2010)A survey on bio-inspired networkingComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2009.10.02454:6(881-900)Online publication date: 1-Apr-2010
https://dl.acm.org/doi/10.1016/j.comnet.2009.10.024
Meisel MPappas VZhang L(2010)A taxonomy of biologically inspired research in computer networkingComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2009.08.02254:6(901-916)Online publication date: 1-Apr-2010
https://dl.acm.org/doi/10.1016/j.comnet.2009.08.022
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Search worms

Defending against hitlist worms using network address space randomization

Modeling the spread of internet worms via persistently unpatched hosts

Reviews

Access critical reviews of Computing literature here

Comments

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Search worms

Defending against hitlist worms using network address space randomization

Modeling the spread of internet worms via persistently unpatched hosts

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations